Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Action does not work on PRs from forks #163

Open
aeneasr opened this issue Jul 27, 2022 · 4 comments
Open

Action does not work on PRs from forks #163

aeneasr opened this issue Jul 27, 2022 · 4 comments

Comments

@aeneasr
Copy link

aeneasr commented Jul 27, 2022

As a large open source organization, we follow GitHub's best practices to have two orgs:

  1. An open source org github.com/ory
  2. An enterprise org github.com/ory-corp

This allows us to invite unlimited collaborators to the open source projects, while staying compliant in all aspects of closed source development.

When users create PRs against our open source ecosystem, this usually happens on forks. The problem is that the GitHub Secret containing the personal access token that this action needs, is not available on forked repositories.

This leads the action to fail to run when a PR from a fork is added:

https://github.com/ory/kratos/runs/7496471335?check_suite_focus=true

Since we use the boards to also manage open source reviews as part of the product development activities, it would be awesome if PRs from forks could also somehow be added to the board.

To solve this, this action could also support a cron-style job which synchronizes all PRs and all issues to the board. This would allow us to sync "missed" PRs from forks because the cron job runs in the root org and has access to the secret.

@mschile
Copy link

mschile commented Aug 31, 2022

I believe you can use the pull_request_target event instead of pull_request since pull_request_target has access to the secrets.

https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

@aaronshurley
Copy link

@mschile Thank you, that does work. Just so folks know, there are security implications with this approach: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

@camchenry
Copy link
Contributor

👋 Thank you for the feedback! I don't believe this is something that we currently support through this action. We have an item in our roadmap for automatically adding issues and pull requests to projects, as well as some new automation features related to that. I've passed on this feedback directly to the teams working on this functionality. If you have any additional information or feedback, please feel free to comment!

@wangela
Copy link

wangela commented Mar 15, 2023

I saw see in the documentation for Using encrypted secrets in a workflow that "With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository."

This is a problem for us, as we need to inject an API key to run tests on PRs. The API key is stored in encrypted secrets, but if the test workflows cannot access the secret when run from a forked PR (i.e. any open source contributor who is not an admin), then we cannot ensure that the PRs pass tests before merging them.

The documentation linked above does not offer a workaround or alternative approach. Is support for encrypted secrets in workflows on fork PRs a feature request that you have on your backlog or do I need to find an alternative method for securely injecting API keys into open source test workflows?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants